Idea ID: 1653710

SHA2 certificates should not be overwriten after running the OMi Configuration Wizard with old SHA1

Status : Delivered
over 2 years ago

there is a CORRECT procedure how to do this migration:

https://softwaresupport.softwaregrp.com/doc/KM03187187

OBM Certificate Migration, SHA-1 to SHA-2/SHA-3

 

In order to migrate OMi certificates from SHA1 to SHA2 you need to follow the steps below provided by CPE:

Ø Enable smart card authentication using config-server-wizard. – (if you are not using smart Card Authentication)
Ø Check if everything is working fine.
Ø Follow below steps to migrate SHA1 signed certificates to SHA2 signed certificates:


1. Create new SHA2 signed CA certificate on OMi
· Move to a stronger RSA key size on the OMi server as well as managed nodes by setting ASYMMETRIC_KEY_LENGTH configuration under sec.cm namespace
# ovconfchg -ns sec.cm -set ASYMMETRIC_KEY_LENGTH 4096
· Set HASH_ALGO configuration under sec.core namespace to desired and supported hash algorithm on OMi server
# ovconfchg -ns sec.core -set HASH_ALGO eSHA512  - is it eSHA512 or SHA512
· A tool called MigrateAsymKey is shipped with OvSecCs 11.10.035 that take two parameters “-createCAcert” and “-createNodecert”. Where can I find this tool
· Run MigrateAsymkey tool with “-createCAcert” option, this creates new CA certificate for 3072 RSA key size, signed using hash algorithm configured.
# /opt/OV/lbin/seccs/install/MigrateAsymKey.sh -createCAcert


2. Update trusted certificates on all OMi agents
· Update trusted certificates, using “ovcert -updatetrusted” command.
# ovcert -updatetrusted


3. Issue new sever node certificate on OMi
· Create new node certificate for local agent and other keystores using MigrateAsymkey tool with “-createNodecert” option.
# /opt/OV/lbin/seccs/install/MigrateAsymKey.sh –createNodecert


4. Migrate all OMi Agents to new certificates and redeploy all policies afterwards (per node) – why policy redeployment is required
· To have the nodes with only SHA512 certificates follow below steps
· Remove all existing certificates on the node using “ovcert -remove” command.
· Ensure HASH_ALGO and ASYMMETRIC_KEY_LENGTH is the same as the OMi Server
# ovconfchg -ns sec.core -set HASH_ALGO eSHA512
# ovconfchg -ns sec.cm -set ASYMMETRIC_KEY_LENGTH 4096
· Request for new certificate using “ovcert -certreq” command and grant the same from OMi server.
# ovcert –certreq
· Grant the certificate request from OMi Server.
After having new certificates on the Nodes, OMI setup will not be fully operational until all the policies have been redeployed. What would happen if I miss to redeploy policies on the nodes
Redeployment is required to override the policies with new certificates.


5. After all the agents are migrated remove old CA cert from server trust stores and do update trusted on all agents

However in case you run the Confugration Wizard the changes will be overwriten:
Note: Please don’t run config-server-wizard after migrating from SHA1 to SHA2. This will override the new SHA2 certificates with old SHA1 certificates and that is where services setup takes more time.

 

SHA2 certificates should not be overwriten after running the OMi Configuration Wizard with old SHA1 certificate.

PLEASE NOTE: 

there is a CORRECT procedure how to do this migration:

https://softwaresupport.softwaregrp.com/doc/KM03187187

OBM Certificate Migration, SHA-1 to SHA-2/SHA-3